Monthly Archives: February 2017

Ubuntu

USN-3183-1: GnuTLS vulnerabilities

Ubuntu Security Notice USN-3183-1

1st February, 2017

gnutls26, gnutls28 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in GnuTLS.

Software description

  • gnutls26
    – GNU TLS library

  • gnutls28
    – GNU TLS library

Details

Stefan Buehler discovered that GnuTLS incorrectly verified the serial
length of OCSP responses. A remote attacker could possibly use this issue
to bypass certain certificate validation measures. This issue only applied
to Ubuntu 16.04 LTS. (CVE-2016-7444)

Shi Lei discovered that GnuTLS incorrectly handled certain warning alerts.
A remote attacker could possibly use this issue to cause GnuTLS to hang,
resulting in a denial of service. This issue has only been addressed in
Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-8610)

It was discovered that GnuTLS incorrectly decoded X.509 certificates with a
Proxy Certificate Information extension. A remote attacker could use this
issue to cause GnuTLS to crash, resulting in a denial of service, or
possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS
and Ubuntu 16.10. (CVE-2017-5334)

It was discovered that GnuTLS incorrectly handled certain OpenPGP
certificates. A remote attacker could possibly use this issue to cause
GnuTLS to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2017-5335, CVE-2017-5336, CVE-2017-5337)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:
libgnutls30

3.5.3-5ubuntu1.1
Ubuntu 16.04 LTS:
libgnutls30

3.4.10-4ubuntu1.2
Ubuntu 14.04 LTS:
libgnutls26

2.12.23-12ubuntu2.6
Ubuntu 12.04 LTS:
libgnutls26

2.12.14-5ubuntu3.13

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-7444,

CVE-2016-8610,

CVE-2017-5334,

CVE-2017-5335,

CVE-2017-5336,

CVE-2017-5337

Ubuntu

USN-3184-1: Irssi vulnerabilities

Ubuntu Security Notice USN-3184-1

1st February, 2017

irssi vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Irssi.

Software description

  • irssi
    – terminal based IRC client

Details

It was discovered that the Irssi buf.pl script set incorrect permissions. A
local attacker could use this issue to retrieve another user’s window
contents. (CVE-2016-7553)

Joseph Bisch discovered that Irssi incorrectly handled comparing nicks. A
remote attacker could use this issue to cause Irssi to crash, resulting in
a denial of service, or possibly execute arbitrary code. (CVE-2017-5193)

It was discovered that Irssi incorrectly handled invalid nick messages. A
remote attacker could use this issue to cause Irssi to crash, resulting in
a denial of service, or possibly execute arbitrary code. (CVE-2017-5194)

Joseph Bisch discovered that Irssi incorrectly handled certain incomplete
control codes. A remote attacker could use this issue to cause Irssi to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10.
(CVE-2017-5195)

Hanno Böck and Joseph Bisch discovered that Irssi incorrectly handled
certain incomplete character sequences. A remote attacker could use this
issue to cause Irssi to crash, resulting in a denial of service. This issue
only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2017-5196)

Hanno Böck discovered that Irssi incorrectly handled certain format
strings. A remote attacker could use this issue to cause Irssi to crash,
resulting in a denial of service. (CVE-2017-5356)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:
irssi

0.8.19-1ubuntu2.1
Ubuntu 16.04 LTS:
irssi

0.8.19-1ubuntu1.3
Ubuntu 14.04 LTS:
irssi

0.8.15-5ubuntu3.1
Ubuntu 12.04 LTS:
irssi

0.8.15-4ubuntu3.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Irssi to make all the
necessary changes.

References

CVE-2016-7553,

CVE-2017-5193,

CVE-2017-5194,

CVE-2017-5195,

CVE-2017-5196,

CVE-2017-5356

Ubuntu

USN-3185-1: libXpm vulnerability

Ubuntu Security Notice USN-3185-1

1st February, 2017

libxpm vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

libXpm could be made to crash or run programs if it opened a specially
crafted file.

Software description

  • libxpm
    – X11 pixmap library

Details

It was discovered that libXpm incorrectly handled certain XPM files. If a
user or automated system were tricked into opening a specially crafted XPM
file, a remote attacker could use this issue to cause libXpm to crash,
resulting in a denial of service, or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:
libxpm4

1:3.5.11-1ubuntu0.16.10.1
Ubuntu 16.04 LTS:
libxpm4

1:3.5.11-1ubuntu0.16.04.1
Ubuntu 14.04 LTS:
libxpm4

1:3.5.10-1ubuntu0.1
Ubuntu 12.04 LTS:
libxpm4

1:3.5.9-4ubuntu0.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart your session to make
all the necessary changes.

References

CVE-2016-10164

Ubuntu

USN-3186-1: iucode-tool vulnerability

Ubuntu Security Notice USN-3186-1

1st February, 2017

iucode-tool vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS

Summary

iucode-tool could be made to crash or run programs if it opened a specially
crafted file.

Software description

  • iucode-tool
    – Intel processor microcode tool

Details

It was discovered that iucode-tool incorrectly handled certain microcodes
when using the -tr loader. If a user were tricked into processing a
specially crafted microcode, a remote attacker could use this issue to
cause iucode-tool to crash, resulting in a denial of service, or possibly
execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:
iucode-tool

1.6.1-1ubuntu0.1
Ubuntu 16.04 LTS:
iucode-tool

1.5.1-1ubuntu0.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-0357

NVD

CVE-2016-6001

IBM Forms Experience Builder could be susceptible to a server-side request forgery (SSRF) from the application design interface allowing for some information disclosure of internal resources.

NVD

CVE-2016-5942

IBM Kenexa LMS on Cloud is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

NVD

CVE-2016-5953

IBM Sterling Order Management transmits the session identifier within the URL. When a user is unable to view a certain view due to not being allowed permissions, the website responds with an error page where the session identifier is encoded as Base64 in the URL.

NVD

CVE-2016-6115

IBM General Parallel File System is vulnerable to a buffer overflow. A remote authenticated attacker could overflow a buffer and execute arbitrary code on the system with root privileges or cause the server to crash.